THAILAND needs to quickly enact data privacy legislation as the country moves ahead with the digital economy and society platforms, according to legal and other experts.

The Ministry of Digital Economy and Society (MDES) is currently revising a 10-year-old draft of the proposed law to catch up with the latest challenges as evidenced by the recent personal data leak fears involving telecom operator TrueMoveH. It is feared that the security of ID-card and other personal data of more than 10,000 Thai customers might have been compromised.

Bhume Bhumiratana, a researcher and expert on cybersecurity, said MDES was expected to finalise the new draft for Cabinet approval and enactment by the National Legislative Assembly by the end of this year, even though the European Union’s (EU) General Data Protection Regulation (GDPR) law is due to be effective from May 25 this year. The GDPR is said to be the world’s new legal standard on data privacy and related regulations with its enforcement affecting other countries, including Thailand, as the personal data of all EU citizens will be protected under the new EU law with binding conditions for companies with EU customers.

Paiboon Amonpinyokeat, a cyber law expert, said the MDES will have to update the new draft law to cover data leaks as happened recently in the TrueMoveH case so that preventive and remedial measures could be taken in the future.

In addition, the new draft needs to cover the latest developments in e-commerce, given the advent of Alibaba and other online giants, since Thai laws currently cover only persons and juristic persons as data controllers and processors whereas today’s robots and artificial intelligence (AI) machines are used for those tasks in e-commerce and related transactions.

Paiboon said Thais still have a low awareness of data privacy issues, which are becoming crucial in their daily life due to the fast-growing development of online and mobile banking, e-commerce and other digital services.

Bhume said the lack of a data privacy law has led to consumer abuse, which will become widespread in the coming years due to the advancement of the digital economy and society. For example, banks have used their customer data without specific consent from customers, allowing sales personnel to follow up with customers without authorisation after customers open their bank accounts. In the case of the EU’s GDPR law, customer consent needs to be specific to prevent data abuse, he said, while Prinya Hom-anek, president and chief executive officer of ACIS Professional Centre, said data abuse is widespread and there is no law to require the removal of such data.

Paiboon said the EU’s GDPR law will also impact Thailand and Thai businesses with EU customers since the country will be required to enforce applicable laws consistent with the EU law. For example, Thai firms will be required to report any data leak involving EU citizens within 72 hours and the country could be on the EU blacklist if it did not comply with the EU law.

In addition, the EU law imposes a heavy penalty on violators. A company which breaks the law could face a fine of up to 4 per cent of its annual sales turnover. The EU law also has clauses on the right to be forgotten, meaning that owners of personal data have the right to delete their data.

Paiboon said Thailand’s fast-growing e-commerce sector would be hit by the EU law if there were compliance issues, affecting the country’s push for the digital economy as there was no prior arrangement with the EU ahead of the enforcement.

The new MDES draft, he said, needed to ensure that personal identities of Thai citizens were adequately protected both online and offline since more cyber-criminals would turn to abuse loopholes such as using fake online IDs as well as fake physical ID cards. The government must invest in mechanisms that can plug these loopholes, he said.

Paiboon said about 40-50 per cent of the old draft needed to be rewritten to meet the latest challenges on data privacy and related issues, citing disclosure of personal data as another example. Online service providers should be required to adopt the minimisation rule so that all personal data is not disclosed by service providers unless each of the data is specifically consented by data owners.

Arthit Suriyawongkul, coordinator of Thai Netizens Network, said the country needed a more independent regulatory body on data privacy and related issues, while Paiboon said the MDES should no longer head the body as its new structure should be like that of the National Human Rights Commission.